In article you write:
>What ZONEMD would provide is a method of validation of the non-authoritative
>A/ (glue) for the TLD itself.
No, assuming that the ZONEMD is signed, it just tells you that your
copy of the zone has the same glue as the one the zone's publisher
signed. As others have
On Mon, 20 Aug 2018, Brian Dickson wrote:
Those zones would have a signed ZONEMD but no DS record leading to a
validated path anyway, so those are lost without an external (from
DNSSEC) PKI which falls very far outside the scope of ZONEMD.
Paul
What Shumon was referring to is the actual TLD
Sent from my iPhone
> On Aug 20, 2018, at 10:57 AM, Paul Wouters wrote:
>
>> On Mon, 20 Aug 2018, Shumon Huque wrote:
>>
>> On Sun, Aug 19, 2018 at 3:29 PM Paul Wouters wrote:
>>
>> When using DNSSEC, the resolver should follow the glue and then perform
>> a query at the child
On Mon, 20 Aug 2018, Shumon Huque wrote:
On Sun, Aug 19, 2018 at 3:29 PM Paul Wouters wrote:
When using DNSSEC, the resolver should follow the glue and then perform
a query at the child zone to confirm the glue data. In unbound.conf
terms this is called harden-glue: yes
I
On Mon, Aug 20, 2018 at 9:53 AM Bob Harold wrote:
>
> On Sun, Aug 19, 2018 at 3:29 PM Paul Wouters wrote:
>
>>
>> When using DNSSEC, the resolver should follow the glue and then perform
>> a query at the child zone to confirm the glue data. In unbound.conf
>> terms this is called harden-glue:
On Sun, Aug 19, 2018 at 3:29 PM Paul Wouters wrote:
> On Mon, 13 Aug 2018, Brian Dickson wrote:
>
> > Subject: Re: [DNSOP] Comments on draft-wessels-dns-zone-digest-02
>
> > IF (big if, with the how/when/where etc kept as a separate discussion)
> an attacker manages to
On Mon, 13 Aug 2018, Brian Dickson wrote:
Subject: Re: [DNSOP] Comments on draft-wessels-dns-zone-digest-02
IF (big if, with the how/when/where etc kept as a separate discussion) an
attacker manages to modify glue (for example, poisoning a
resolver's cache for glue info), the attacker has
>
>
> Another limitation I've mentioned before, where DNSSEC doesn't protect you,
> is that a delegation could be falsified such that traffic goes to an
> eavesdropper that just records but doesn't modify messages.
>
> but on most networks you connect to that you don't trust, they could
> just
In article you write:
>I am not objecting other then having 0 desire to help out unsigned zones
>replace origin
>security with transport security.
The way that ZONEMD is defined in the draft, it's not very useful if
the ZONEMD record isn't signed. Otherwise the malicious party can
just
I am not objecting other then having 0 desire to help out unsigned zones
replace origin security with transport security.
Look at the suggested use of eSNI in unsigned DNS assuming some kind of DOH /
DOT transport.
This record type could easily be abused for that.
Which is why my preference
Paul, you seem suspicious that there is some underhand camel attack
being planned, here, and that the forces of good must assemble to
reveal the ugly truth and save the caravan.
I think being able to verify the integrity of a zone as a complete
data structure is useful.
I think interop is
On Fri, 10 Aug 2018, Wessels, Duane wrote:
But there are already mechanisms for this at the data set level. (This is a "belts
and suspenders" style argument.) What if -err- when, in a zone's distribution, the
glue records are either forged or simply fat-fingered? That's covered, in a way
> On Aug 10, 2018, at 7:10 AM, Paul Hoffman wrote:
>
> On 9 Aug 2018, at 17:24, Paul Wouters wrote:
>
>> The point was to allow redistribution and to not depend on a trusted source
>
> We don't know that. After the wide-ranging list discussion, it would be great
> if the document authors
> On Aug 9, 2018, at 7:19 AM, Edward Lewis wrote:
>
> FWIW, this message was spurred by this comic strip [yes, today as I write]:
> http://dilbert.com/strip/2018-08-09.
Hi Ed,
>
> "Will the time taken to generate and verify this record add to the security
> of a zone transfer?"
I think
On 9 Aug 2018, at 17:24, Paul Wouters wrote:
The point was to allow redistribution and to not depend on a trusted
source
We don't know that. After the wide-ranging list discussion, it would be
great if the document authors were clearer on what the point is / points
are in a new draft. Until
The point was to allow redistribution and to not depend on a trusted source
Sent from my phone
> On Aug 9, 2018, at 20:21, Viktor Dukhovni wrote:
>
>> On Thu, Aug 09, 2018 at 02:19:08PM +, Edward Lewis wrote:
>>
>> FWIW, this message was spurred by this comic strip [yes, today as I
FWIW, this message was spurred by this comic strip [yes, today as I write]:
http://dilbert.com/strip/2018-08-09.
"Will the time taken to generate and verify this record add to the security of
a zone transfer?"
I understand that there is no protection for cut point or glue records now, nor
any
17 matches
Mail list logo